Friday, 16 November 2012

In the world of security there is often a tendency to
accentuate the negative. This can often be justified. Malware can lead to
data/identity theft and financial fraud and a DDoS attack can create havoc by
denying access to a web site or service etc.

However, security can also be a positive factor – an
enabler. For financial services, each time we use our debit or credit cards in
an ATM or POS terminal in a retail store or use them on an eCommerce website we
have a fair level of assurance that all parties are protected from fraud - where
would eCommerce and financial transaction integrity be without cryptography?

Security technology coupled with sound risk management has
been at the heart of the financial services industry for many years. This
combination of security technology and risk management must be applied to new
methods of providing financial services to bank customers including one of the
hottest channels for providing financial services – Mobile.

Mobile devices, from feature to smart phones and from tablets
to phablets, have become a vital endpoint for accessing banking services. The
mobile banking channel is viewed as one of the most important channels for
delivering financial services to bank customers. These are the same bank
customers that are rapidly adopting these ‘smart mobile devices’ and are using
them as their primary digital device – the first screen for consuming
work/leisure digital content.

With the rush to mobile by financial institutions for
banking and payment services there have been serious questions asked on whether
mobile is secure enough? There is no denying that smart mobile devices are
increasingly being attacked for financial fraud and identity theft. A
combination of platform vulnerabilities and an increased desire from hackers
and fraudsters to attack has led to a situation where mobile devices are under
threat. Mobile malware is on the rise, especially affecting Android, and
banking services, including some mobile-based Two-Factor-authentication (2FA)
services, are under targeted attack.

Much has been commented on mobile vulnerabilities and
whether security vendors are creating scare stories to make mobile users
install their products but my experience tells me that much of this is not FUD
but FACT. As money moves onto mobile devices than it is inevitable that the
criminals will follow.

This has to be one of my favourite quotes (although the
quote may in fact be an urban legend) and I apologise for repeating it again
here but it is such an important message and provides context for this blog.
One of the US’s most prolific bank robbers from the 1920s to the 1950s was a
man named Willie Sutton (AKA “Slick Willie”). In his 40-year ‘career’ he robbed
over one hundred banks and stole an estimated $2 million (a big number in old
money). When asked why he robbed banks he replied “because that’s where the money is”. Why is this important to today’s
ever mobile world? Well I think it is pretty obvious. Soon there will be more
mobile phones than people on this planet and every one of these devices has the
capability of banking (including full transactional banking). From the streets
of Nairobi, Kenya, to the avenues of New York, USA, people are accessing their
bank accounts and transferring money using mobile devices – be it an old
Ericsson ‘brick’ or the latest Apple iPhone; using SMS or a mobile App. Its
where the money is…

So, is mobile banking a secure method for banking and is it
the most secure yet? I believe that mobile banking has the ‘potential’ to be
more secure than traditional online banking and comparable with other banking
channels. Whether current deployments of mobile banking are secure enough at
the moment is another question. The key word is ‘potential’. Mobile phones and
smart mobile devices have the capability to offer very good levels of security
for banking purposes. Whether it is leveraging the hardware security
capabilities and trusted environment that the Secure Element (SE) offers or
adopting strong mobile-based Multi-Factor Verification (MFV), mobile devices
can play an important part in ensuring trust between the bank customer and
their bank.

In a recently published report from Goode Intelligence written by Ron Condon, Senior Analyst, “Mobile
Banking Security Insight Report”, we investigate the risks to mobile
banking, how banks are securing the mobile banking and analyse the state of
security for this channel.

We have interviewed some of the leading lights in the world
of banking security and have asked them to recommend ways in which mobile
banking can be a trusted channel for financial institutions – actionable steps that banks can adopt to
ensure that their customers are secure when banking on their mobile devices.

I can share some of this advice here. When designing and
deploying mobile banking solutions financial institutions should, at a minimum:

Use the power of the mobile phone to create an
encrypted communication channel between user and bank

The phone’s “fingerprint” should provide one
factor in authenticating the users (the PIN provides another)

Consider using the other facilities on the phone
for stronger authentication (biometrics, geolocation)

Monitor apps stores for any rogue apps that
purport to represent your company – and kill them quickly

Introduce a plan for updating mobile banking
apps

Ensure that mobile banking apps are security
tested

Integrate mobile apps with other banking
channels, so that security lessons learned in one channel benefit the others

Educate users about system hygiene when
upgrading their handset, and disposing of an old one

I hope this blog has been useful for you? Please feel free
to contact me to find out more about mobile banking security and our research.
You can follow us on twitter @goodeintel.

Friday, 9 November 2012

I must admit that I didn’t come up with the term Smart Mobile Identity. For that I have
to thank Joey Pritikin at AOptix who I was
lucky enough to meet at the recent Biometrics
exhibition and conference in London during the last week of October 2012. I
first came across the term in a presentation that Joey gave at last year’s Biometrics
conference where he discussed how standard smart phones can be leveraged
for biometric purposes, including user authentication and identity verification [Presentation: Smart Mobile Identity – Beyond Single Purpose Handheld
Biometric Devices].

In my opinion, the term Smart
Mobile Identity really sums up the next generation of mobile-based
authentication and identity verification solutions – something that I have been
involved in for the best part of ten years through various roles including my
current one as Managing Director of Goode
Intelligence.

To me, Smart Mobile
Identity is about leveraging the capabilities of a modern smart mobile
device (SMD) to ensure that our identities are proven or verified when identity
proof (authentication if you like) is required. Not only for proving identity when
accessing digital services through a desktop computer but also for mobile
initiated access and even when we present ourselves in the physical world; at a
country border or when accessing health or social security services. I also
include proving our identity when accessing digital services using other
connected devices, such as gaming consoles, automobiles, smart TVs etc;
adaptive and agile authentication and identity verification to support the
Internet of things. As someone who owns an Xbox 360 Kinect device, the idea of
using a voiceprint or a facial scan to access Xbox LIVE is a realistic possibility.

For mobile device-based authentication and identity
verification solutions, the simplest scenario is being sent a one-time-password
(OTP) via SMS when authenticating ourselves into a network-based service, e.g.
Google’s Authenticator or 2-step verification process. However, this is
changing rapidly and we are in the midst of an evolution in mobile-based
authentication and identity verification solutions; moving away from porting
existing, non-mobile centric, services to the mobile to designing solutions specifically
for mobile. Using the microphone for voice biometrics, a GPS sensor for
Geo-location, a combination of the accelerometer and touchscreen for continuous
behavioural assessment, securely storing digital certificates in the SIM or Secure
Element (SE) and the camera for facial and eye vein biometrics (take a look at
start-up EyeVerify for this). All these
examples work with standard SMDs now; no need for any specialist equipment.

In addition to these examples, new opportunities are being
presented with the next generation of SMDs that contain new types of embedded
sensors, including NFC, embedded fingerprint and voice recognition sensors. You
can also adapt existing SMDs with add-on sleeves that enable fingerprint recognition
(Precise Biometrics Tactivo
sleeve) and can support smart cards and NFC. The need for single-purpose
devices to capture and verify biometrics in the field may become obsolete as a result
of these developments.

Smart mobile devices offer so many opportunities for authentication
and identity verification and this blog can only scratch at the surface of what
can and will be offered – some of the solutions even encroach into the realms
of science fiction. I was fascinated to come across the iTravel
patent from Apple detailing what the Cupertino tech giant believes to be
the possibility of using a mobile wallet for travel purposes. Managing the end-to-end
travel process from reservation, to ticket receipt/validation, check-in and baggage
claim through to identification at border control. I think all but the last
scenario achievable now but I believe that we are far off from using our mobile
devices as virtual passports.

That said, perhaps we are seeing pieces of the jigsaw that tell
us how Apple will integrate the recently acquired fingerprint sensor technology
from AuthenTec – an agile, and very personal, way to protect our wallets or in
Apple’s case our Passbook. Swiping a
finger to lock and unlock our digital wallets.

Every discussion that I have with technology companies
involved in this space, and this includes many of the major authentication and
biometric vendors, involves how best to utilise the smart mobile device for
authentication and identity verification purposes. My recent attendance at the RSA
Europe conference and Biometrics Conference, both held in London, was largely
occupied with meetings with clients and tech vendors that were investing
serious R&D resources into this area of technology.

A number of forward looking organisations and technology
vendors are already leveraging the capabilities of the smart mobile device for
authentication and identity verification purposes. Through my work at Goode
Intelligence I have been exploring the capabilities of mobile devices for
authentication and identity verification and this includes the recent publication
of two free-to-download white papers; Two-Factor
Authentication Goes Mobile and The
Case for Mobile MFV.

Goode Intelligence will continue to track this market and you
can expect some new publications covering smart mobile identity in the coming
months.

Please get in touch if you want to discuss this further or
are a technology innovator working in this exciting field.

Friday, 27 July 2012

I am not surprised with the news that Apple has acquired mobile security and fingerprint sensor vendor AuthenTec in a deal worth $356m.

I have been following the mobile security market since 2004 and this has included the publication of a report for my research and consultancy company, Goode Intelligence, on mobile biometric security published in June of 2011. Smart Mobile Devices (SMDs), a term that we use to define smart phones and tablets, have become the portable computer of choice for both personal and business use. However, questions remain as to the effectiveness of security controls for these devices with the recent Black Hat conference in Las Vegas being dominated by presentations that detail the vulnerabilities of these devices.

Apple's acquisition of AuthenTec, who are not just about fingerprint sensors, is a positive move by the Cupertino-based company and could lead to next generation Apple products having embedded security controls, both hardware and software-based.

As seen in the Goode Intelligence annual mSecurity survey report, Apple iOS has become the number one choice for the enterprise. This position will be well and truly cemented if Apple strengthens its security as a result of the AuthenTec acquisition.

Will this mean embedded fingerprint sensors in next generation Apple products including the iPhone and the iPad? With the acquisition of AuthenTec this has become more likely. I interviewed AuthenTec as part of my research into the mobile biometric market and back in May 2011 they said this; “the integration of fingerprint sensors into wireless smart phones, feature phones and tablets is in its early stages and will accelerate.” Accelerate as a result of being in every iPhone and iPad? A distinct possibility.

Embedded fingerprint sensors on mobile devices are being used to protect the phone (augment standard phone lock as my Motorola Atrix 4G admirably does) and to provide authentication to support NFC-based transactions, including payments, at physical locations. AuthenTec has been doing well in this market since 2004 when it first supplied fingerprint sensors for Fujitsu mobile phones to be used to secure mobile payments for NTT DoCoMo in Japan. With rumours that the next generation iPhone (iPhone 5) will support NFC, will Apple be combining biometric authentication through the use of an embedded fingerprint sensor for mobile payments at the physical point-of-sale?

I was pretty cautious when forecasting the growth of mobile biometric security products and services back in 2011, predicting that the market would grow to 39 million users by 2015. This quote from the report highlights this; "The market is currently slow; but pressure is growing.
Things could change rapidly, from an interesting concept to a 'must have' for
all smart mobile devices."

I did go on to make a conditional statement that is very relevant with this news;

"However, this could all be thrown on its head with the
introduction of embedded biometrics on mobile devices by one of the major
manufacturers – and not just a single product line but standard on all mobile
phone products. The market is always eagerly waiting for the next generation of
Apple iPhones and rumours are circulating that Apple iPhone 5 may include some
form of biometric technology."

Could this news be the catalyst to accelerate the adoption of biometric security onto smart mobile devices - there is now much more of a chance of this happening. I look forward to seeing how Apple build on AuthenTec's success in the mobile security world.

For news, opinion and analysis on all things mobile security follow me on Twitter - @goodeintel

Friday, 25 May 2012

Mobile malware, in particular Android mobile malware, is
rising. This is a fact.

It has been rising slowly since 2004, as the figures below
from McAfee detail, and the rate has been accelerating since autumn 2011 when a
number of high-profile cases of Android mobile malware hit the press. This
included Google’s official Android Appstore, then called Market now called
Play, being used as a method to distribute Trojanised apps to unwitting
customers. GGTracker[1],
SuiConFo [2]and RuFraud [3] were all Trojanised Android apps that were attempting to defraud consumers
largely by attacking the Premium Rate Service industry through the unauthorised
sending of Premium Rate SMS messages.

Mobile Malware Explodes, Increases 1,200% in Q1/2012

Source: McAfee Threats
Report: First Quarter 2012

“A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts.” Mobile Threat Report Q12012, F-Secure

Figures
from Goode Intelligence’s annual mSecurity survey back this up with a rise in
the number of reported mobile malware incidents – read infection – in the
workplace from 7% in 2009 to 24% late in 2011; nearly a quarter of all
organisations. This figure is alarming.

We are also seeing
evidence from other sources including telecommunications regulators. In the UK,
the country’s premium rate regulator, PhonepayPlus, has been involved in
investigations into premium rate fraud directly caused by mobile malware.

With the assistance
of Goode Intelligence, (providing research and analysis into the link between
mobile malware and PRS fraud), PhonepayPlus are proactively tracking instances
of mobile malware that are attacking PRS.

One of these
investigations hit the news recently and resulted in a hefty £50,000 fine for a
mobile aggregator, A1 Aggregator Ltd based in Latvia, for managing the SMS
shortcodes that were used in the RuFraud malware attack. From late November
2011, after receiving 34 complaints from consumers of unauthorised PSMS charges
on their phone bills, including an individual losing around £80, the regulator
investigated further and tracked the fraud down to Trojanised versions of
Android Apps distributed via Android Market (Play). The fake apps included
Trojanised versions of Angry Birds Assassins Creed and Cut the Rope. Consumers
had no knowledge of three PSMS messages being sent every time the Trojanised
app was started. Each PSMS message was costing the unwitting user £5.00.

In this one case
1,391 mobile numbers in the UK were affected and an estimated £27,850 worth of
fraud was attempted. Due to the swift action from the regulator, the shortcode
was suspended and none of the £27,850 of UK consumer’s money was able to reach
the fraudsters.

PhonepayPlus found
evidence of the RuFraud Trojan operating in 18 countries. Thankfully the UK has a regulator that is well
advised and has put into place procedures to ensure that this emerging area of
PRS fraud is actively monitored. What about the other 17 countries that were
targeted by this malware? How many consumers have been affected and how much
financial damage has been done in regions where regulation is not so proactive?

The Risk

There is evidence from
multiple sources, including our own, that mobile malware is rising and it is
targeting consumers for, amongst other reasons, financial fraud.

On the face of it,
it seems that the risk of malware infection is getting stronger and both
consumer and enterprise mobile users should take preventative measure to
counteract that threat. These preventative measures include being cautious when
downloading Android apps from appstores, including Google Play and from
third-parties, and checking the permissions carefully. There is also the option
of protecting your mobile device with a mobile security product that is proven
to be effective in preventing mobile malware.

Android is being
targeted as it has a more open platform for downloading and installing apps and
it is becoming the number one mobile platform around the world. This makes it
the number one target for malware in today’s mobile market.

However, we should
also be cautious in assessing the current risk to both consumers and enterprise
users from the threat of mobile malware. Apple’s iOS has been free of malware
and there have been very small numbers of malware that have been known to affect
BlackBerry devices.

Additionally,
Google should be applauded in acknowledging the threat from Trojanised apps in
Play by deploying a solution, Bouncer [4],
which attempts to detect mobile malware on upload. Bouncer was announced early
in 2012, although it has been running during 2011, and it is probably too early
to state how effective the solution is in preventing mobile malware on Play [5].

There is also an
acknowledgement from third-party Android appstores that security is important
as a business differentiator. Goode Intelligence surveyed a number of the
third-party appstores and was pleased that over two-thirds of the respondents
(68 percent) replied with a ‘yes’ to the question “Do you think there is a
commercial benefit for an app store to offer malware detection and prevention
technology?” The tools are
available for these third-party Android appstores with AVG[6] amongst the vendors offering specific security solutions aimed at preventing
the spread of malware from these appstores.

Yes the statistics
do tell us of double and triple digit growth in mobile malware, mainly
targeting the Android platform. However, the risk is still relatively low and
the financial fraud that is being committed as a result of mobile malware is
currently low in value. These are still early days in the history of malware
targeting mobile platforms and indications are that the business drivers for
attacking these platforms is growing which could result in the situation
getting worse – especially in the short-to-medium term.

And in answer to
the question of attacks on Apple iOS, will this happen? You betcha! As the
famous US bank robber, Willie Sutton, said in response to the question why he
robbed banks; "because that's where the money is." Whether they will
succeed is another matter and the topic for another blog.

Friday, 11 May 2012

We
are regularly bombarded by news stories that announce the death of this or the
death of that. From memory, we have seen “the death of cash”, the “death of the
PC” and the “death of the token”. Usually, these predictions are triggered by
some sort of an event, perhaps the publication of a new report or after a
security incident, e.g. The RSA Security
breach. But, after the dust has settled and the crisis teams have moved onto
the next event, what impact, if any, is felt on the product or technology that
has been affected?

In
a guest blog, Calum MacLeod, EMEA director, Venafi, explores the role of PKI in
a post-Comodo world and suggests that 2012 could be “the year of Public Key
Infrastructure”.

Alan Goode May 2012

Why 2012 is the year of Public Key Infrastructure

Comodo,
Sony, RSA Security and many more have been badly breached recently - but does that
mean the death toll for PKI? Calum MacLeod, Venafi EMEA director, cautions on ringing
that bell yet

Recently, the IT security world was shaken to its very
core. Established and trusted organizations fell from grace as they became
victims of hacking. In the case of Comodo and StartSSL the resultant outcry has
seen many quick to declare that public key infrastructure (PKI) is dead or
dying. However, I believe it is the best we’ve got and it will not be replaced any
time soon – to argue otherwise is a waste of energy. In fact, I actually think
the reverse and that 2012 is the year of PKI.

I could spend ages telling you about the various hacks
and what went wrong but - as many others have already done that – including
myself. Let’s assume however you either know or have read about it elsewhere.

Instead, let’s focus on the critical role certificates
and PKI play in securing data and authenticating systems across all types of
organizations. And think of all the systems that now leverage (and very
effectively I might add) PKI, including the traditional IT data center
infrastructure, public and private clouds, and an exploding number of mobile
devices that require authentication, to name just a few.

Within a PKI, a certificate authority assigns each
system or user a unique identity - a digital certificate - that allows the
certificate holder to work within the protected environment. This allows organizations
to let customers, partners, and employees to authenticate to systems and users.
I would argue, perhaps controversially, that PKI delivers a virtually seamless
experience for users while providing trusted security.

And it is the word trusted that many of you will scoff
at.

How can they be trusted?

To pretend that they’re infallible is churlish. Instead,
what needs to be recognized is that the world we live in is imperfect and, a
bit like a car, we need more than one security feature if we’re to prevent
ourselves flying through the windscreen.

Let’s use the car analogy to illustrate the point.
Cars have brakes to stop them in an emergency. Yet, all too often, there are
accidents. Has anyone pointed the finger at the braking system and declared it
dead? Of course not. Instead, the designers have worked tirelessly to improve
the overall safety of vehicles, installing impact bars and roll cages, seatbelts,
and an airbag just to make sure. An organizations security should be approached
in much the same way.

To do this, we need to first understand the challenges
faced. Depending on the IT environment where keys and certificates are being
deployed, some or all of these risks may apply:

Certificates that are not renewed and replaced before
they expire can cause serious unplanned downtime and costly outages

Private keys used with certificates must be kept
secure or unauthorized individuals can intercept confidential communications or
gain unauthorized access to critical systems

Regulations and requirements (like PCI-DSS) require
much more stringent security and management of cryptographic keys, and auditors
are increasingly reviewing the management controls and processes in use

The average certificate and private key require four
hours per year to manage, taking administrators away from more important tasks
and cost hundreds of thousands of dollars per year for many organizations

If a certificate authority (CA) is compromised or an
encryption algorithm is broken, organizations must be prepared to replace all
of their certificates and keys in a matter of hours

The rollout of new projects and business applications
are hindered because of the inability to deploy and manage encryption to
support the security requirements of those projects

Manage Certificates Properly

As this highlights, certificate and encryption or private
key management can be complicated. The fact that there are typically several
people involved in the management of certificates and private keys makes the
probability of error even higher.

By clearly defining roles and responsibilities so that
everybody knows what they’re responsible for can significantly decrease the
likelihood of failure and make it easier to work out how to improve processes
when something does go wrong. In some areas, system administrators will
manually enroll for and install certificates. In others, a central system may
be used for automated installation.

The last thing you want as an organization is to be
running around trying to figure out who is responsible for a key or certificate
when an issue arises. Compile a list of responsible groups and/or individuals
for each key and certificate in your inventory and develop a method for keeping
the information current.

Prepare for it

If you act on the principle that you’re going to be hacked
– it’s just a matter of time – then at least you’ll be prepared should happens.

Just like brakes in a car, encrypt everything. Ensure
that your encryption systems provide the security they are designed to deliver
while simultaneously reducing operational risk and administrative workload. Finally,
know where everything is.

PKI and SLL are sensible platforms for certificate
management. Abolishing them and putting something else in their place is not
feasible – the vehicle already exists and it is not going away anytime soon. Instead,
organizations need to recognize the challenge of using them and decide how
they’re going to handle the coming explosion in certificates.

Sunday, 29 April 2012

I think a kayak would have been a more suitable mode of
transport in getting to Infosecurity Europe
2012 this year. Europe’s largest information security trade show, held each
year in London, certainly drew in the crowds despite the deluge of rain that
greeted them each day.

I have been coming to Infosec for far too many years to
count, both as an information security professional and latterly as an industry
analyst and even to my trade show-weary eyes was impressed with the buzz that
emanated from the show.

This blog is my take on the show with an emphasis on mobile
security.

Focus not on technology
but people and process

I always enjoy my
regularly catch-up meetings with William Beer, Director, One Security, PWC, and
our meeting at Infosec was no exception. It was a great start to the first day
of the show and pulled me back from just concentrating on the technology – an
easy trap at such a technology-dominant show.

We both agreed that the trend of
mobile BYOD was here to stay and that organisations were well down the road to
building this into IT strategy. As with all emerging trends there will be
mistakes made and technology that may solve one immediate problem may be
shelved as business owners and IT functions begin to understand some of the new
dynamics that face them.

We both agreed that
organisations need well informed and balanced advice on how to support mobility
and in particular the conundrum that employee-owned mobile devices can
introduce to organisations large and small.

I look forward to my
next catch up with William and I am sure that, as always, there will be plenty
to discuss.

Smart ways to authenticate
on smart mobile devices – the next wave of mobile authentication/identity solutions

I am always on the lookout for new and innovative methods of
authenticating people on mobile devices and was lucky to catch up with three
innovative vendors operating in this space. ActiveIdentity (part of the HID Global),
BehavioSec, and Live Ensure.

ActiveIdentity

I have been speaking with ActiveIdentity since first
researching the market for mobile device-based authentication solutions back in
2009 and have been keeping a close eye on them ever since. They are now part of HID Global, a
leader in physical access control.

I caught up with Alan Davies, Vice
President Identity Assurance Sales EMEA, to get an update on
their mobile solutions and to see how far they had come with enabling both
physical and logical access control using a mobile device (something that their
smart card solutions have been enabling for some time now). The pairing of ActivIdentity and HID Global
has created solutions that allow mobile phones to be used to enter physical
buildings and to gain access to computer services. NFC is being leveraged to
enable this to happen and I was pretty impressed with the NFC
sleeve that they are using to enable iPhones to benefit from this
technology (come on Apple get NFC on iPhone 5 please). This technology is not just the preserve of the enterprise and government
user; the lock manufacturer Yale (owned by ASSA ABLOY) showcased NFC-enabled
locks for the consumer market at CES
2012. Definitely a technology to watch and something that could even be ported to cars.

BehavioSec

I met Hans Bergman and Olov Renberg from BehavioSec at their
stand and was given a demo on their mobile product, Behavio Mobile.
Up until recently, I feel that have we seen mobile authentication v 1.0, where
existing, non-mobile, authentication solutions have been ported to mobile
phones without a great deal of thought as to a. the uniqueness of the form
factor and b. how to authenticate the mobile channel, e.g. in-app. With
solutions such as Behavio Mobile we are now entering the second stage of
authentication on mobile devices where the design of the authentication
solution is centred on mobile – not solely shoehorning a smartcard or a token
solution onto a mobile phone.

Behavio Mobile uses a technique that the guys at BehavioSec
are calling Behaviometrics
(behavioral biometrics). Behavio Mobile collects behavioural statistics of the
normal usage pattern of using a mobile device, e.g. entering or swiping a
PIN-code on a touch-screen and then comparing this with previous usage to
decide if the users is who they say they are. Based on these biometric
inputs it can then accurately determine if the person tapping/swiping away on
their smart mobile device is the legitimate owner of the device or the correct
mobile bank customer is attempting to access their account details. The
solution has another great feature in that it can interact with BehavioSec’s own
risk engine or interface with third-party risk solutions, for example RSA’s
Adaptive authentication product. This could be a really interesting solution
for the type of ‘step-up’ verification that online banking is crying out for.

Live Ensure

I had previously met up in London with the UK team of Live
Ensure for an introduction to the company and their mobile authentication
solution. As their CTO, Christian Hessler,
was in town for Infosec it was a good opportunity to drill down further
into their product and business model. Christian is an infectious technology evangelist who really
gets the reasons why authentication has to change and knows why the mobile device,
in combination with ease-of-use and a true cloud experience, is its future.

In a similar manner to BehavioSec’s mobile solution,
Christian and his team have developed an authentication solution that is agile
and easy to use. Live Ensure is a non-persistent solution that uses a technology
called Digimetrics. This features three
key technologies; the first is a ‘touchless’ deep-device fingerprinting
solution, the second is a one-time disposable signature and the third is a ‘smart-channel’
communication that does not user the browser, something that is prone to
man-in-the-middle (MitM) or man-in-the-browser (MitB) attacks. In addition to the usual suspects, banks, government and healthcare, I can really see this being used in large social networks such as Twitter and Facebook.

How to enable mobile
BYOD in the enterprise – without compromising security and usability?

One of the biggest current challenges that face information security
professionals is how to deal with the mobile BYOD trend. How to manage and securely
control employee-owned mobile devices that are being used for business
purposes. The recently published Goode Intelligence report, the GI
mSecurity survey report, discovered that well over two-thirds, 71 percent,
of organisations are allowing their employees to use their own mobile devices
for business use.

This trend is turning into a major headache for information
security professionals. There are many ways in which an organisation can manage
this threat; mobile device management (MDM) is one. However, this solution may
not be the best solutions for all organisations and I met up with three vendors
that are enabling mobile BYOD in distinct ways. Cryptzone
with their Director’s Portal and the partnership of Echoworx and Nitrodesk (TouchDown) for secure email on
Android devices.

Cryptzone

Cryptzone consider that, in network security, data is the key
asset that needs to be protected and have developed a solution that can be used
by executives on their iPad’s, the Directors Portal.

I met up with Cryptzone’s Peter
Davin to discuss the launch of the Director’s Portal solution. Peter stated that executives including board members are notoriously ‘unsavvy’ and lax
when it comes to transferring, sending and reading sensitive information. This
is especially the case for the new breed of Gucci kit, iPad et al, that C-level execs have brought into the boardroom. The Director’s Portal is a web-based, on-line, workspace devoted exclusively
to the board to use on their iPads. It offers directors secure access to
confidential materials and is based on Cryptzone’s experience of securing collaboration
and file sharing technology, in particular Microsoft’s SharePoint solution.

Echoworx / Nitrodesk

I retired to the sanctuary that was the Infosec press room
(complete with door marked “Dark Room”) to speak with Michael Ginsberg,
President and CEO, Echoworx, and Ronald Goins, Chief Operating Officer, Nitrodesk
(Ron’s CV includes being a bicycle patrol officer in downtown Seattle and a
Supreme Court-certified expert witness on interpreting body language – so I was
very careful in how I presented myself to him).

These two technology companies have teamed up to develop a
solution that supports secure email on Android devices (although the Echoworx mobilEncrypt ENDPOINT solution works
across all major mobile platforms including iOS). Echoworx supply the
cloud-based credential management solution (using PKI and digital certificates)
and Nitrodesk, through the excellent TouchDown product, provide the email client.

TouchDown
provides a true enterprise messaging solution that also supports a wide range
of MDM solution providers (we also had an excellent discussion on the state of
the MDM industry and who we thought would led the pack and who would be
acquired in 2012 – I shall leave that debate to another blog – maybe).

Tuesday, 6 March 2012

Back from MWC#1: The
time is right for mobile biometric security

My feet have just about recovered from the many miles walked
during the recent Mobile World Congress
in Barcelona – I even had to dodge the barricades put up to contain the student
protesters (I counted twenty protestors and a couple of hundred Police) to
congratulate Alan Giles and the team at Fiberlink
after picking up a GSMA
2012 Mobile Award for “Best Enterprise Mobile Solution” for their MaaS360 MDM solution. A very worthy winner.

As a GSMA 2012 judge myself, I was honoured to be chosen to
judge the "Best Technology Product or Solution for Safeguarding and
Empowering Customers". This was won by Cloudmark
for their Mobile Messaging Security Suite.

Global Bilgi for
Turkcell Voice Verification

I was very impressed
by all of the nominees in this category and was delighted that one of the
nominees that made it to the shortlist was from a mobile network operator that
had deployed a biometric security solution that supported mobile devices; Turkcell’s
Global Bilgi for Turkcell Voice
Verification voice biometric service, powered by PerSay’s
VocalPassword technology provided by Nuance Communications. The solution uses a biometric speaker
verification system that verifies a speaker’s identity using acquired voice
samples. Samples of the caller’s voice are converted into voiceprints, or unique
algorithms based on the specific characteristics of the voice that are used to
authenticate and prove identity of Turkcell customers calling into their call
centre. The solution replaces a 4-digit PIN-based authentication solution and
has proved to be very successful with a reported four million enrolled
voiceprints.[1]

Another technology vendor that has developed a very
interesting voice recognition product is the UK-based technology vendor VoiceVault. I was speaking with their
Director of Product Marketing recently, Nik Stanbridge, who was starting to see
a change in the market with “significant opportunities being turned into
contracts”. Both Nik and I agree that we are seeing positive signs of growth in
the mobile biometric security market, largely driven by SMDs becoming the “key
entry points” for much of our personal and business lives. This trend is being
accelerated by mobile voice-based solutions including Apple’s SIRI that
according to Stanbridge, makes “people less reluctant / embarrassed at the
thought of speaking into a mobile device”.

VoiceVault’s solutions are focussed on identity verification
and transaction authorisation for two main use-cases:

On the device itself (phone lock / unlock)

As part of a device-based app’s mechanism for
logging onto a website - a high-security replacement for a password

Mobbeel

Another vendor that was showcasing their mobile biometric
security solutions during MWC was Spanish-based vendor Mobbeel. I have been following their progress
for some time now and was pleased to catch up with Rodrigo Sanchez Gonzalez,
CTO, and Abraham Holgado Garcia, Research and Development Director, on their
stand in the Spanish area of La Fira Courtyard.

Mobbeel are a relatively young company that have become
pioneers in the world of mobile biometric security. Their strength is to use the
standard features of a modern mobile device; touchscreen, camera and speaker,
fast processor, to support a variety of biometric modalities including
signature, iris, facial, hand and voice recognition. Unlike one of the other, much talked about,
mobile technologies, Near Field Communication (NFC), their solutions are not
reliant on an OEM to embed specific hardware, such as a fingerprint sensor.

I really like this company as they are not just developing
ground-breaking technology but developing use-cases and stories to educate the
market. Market education is sometimes extremely useful in emerging technologies
such as this. Take a look at their video channel to
see what I mean.

Fujitsu

Just across the courtyard area where Mobbeel were showcasing
their technology was the Japanese based OEM, Fujitsu that used MWC to launch a
new range of SMDs to the European market. As well as being able to take these devices into the shower
or swimming with you (their waterproof capabilities were ably demonstrated by
an army of suitable wet-weather attired exhibitors) these quad-core powered
mobiles include embedded fingerprint sensors.

Using the same AuthenTec
supplied fingerprint sensors that have been powering NFC-based physical
payments in Japan through mobile network operator NTT DoCoMO, Fujitsu aims to
differentiate its devices from the crowd.

As someone who regularly uses a fingerprint sensor on his
Motorola Atrix 4G (another example of an AuthenTec supplied fingerprint sensor)
to protect a device from unauthorised access I can definitely see the
advantages of such a technology. However, Fujitsu, needs to release APIs and
SDKs into the developer community to enable these devices to support other
authentication and identification features. This will ensure that this
technology becomes a must-have and not a maybe technology.

The time is right for
mobile biometric security

One of my roles as MD of Goode Intelligence is to track
emerging technologies in mobile security and to predict whether these
technologies will succeed and enter the mainstream.

My research into this sector started over one year ago and
resulted in the publication of an analyst report in June 2011, “mobile
phone security – analysis and forecasts 2011-2015”. In the report I
predicted that a biometric groundswell is building for Smart Mobile Devices.
The market is currently slow; but pressure is growing.

My subsequent tracking of this market and the buzz that was
surrounding this technology at this year’s MWC in Barcelona reconfirms my view
that that conditions are ripe for rapid change; for biometrics to move from an
‘interesting concept’ to a 'must have' for all SMDs.